General

  • Target

    203993093_pdf.js

  • Size

    360KB

  • Sample

    221004-nevcxaafh3

  • MD5

    6f2c97bf1745f01cc594012a64900a49

  • SHA1

    d68ccd50762846d471073f102fbd9f99239e524b

  • SHA256

    b01d2309cb59eb34644f2037924b50fc2590c84bec5ce560c58a0c8cd6b93b12

  • SHA512

    8a6defcd4cc89ab9169e573639b323404b8ff5389b5d8cd8954e3bf306136987edb0ba35f1556ebba18bcd67f4477e5f58afec73a7a056ae184e03e3db243416

  • SSDEEP

    6144:gbwPMadFh2RmOGOSEBSH427dTIRTKFFBz5U7A5UW+PU0I/2CMBIhNsSkBI9nfcS:gcX2iOSEB24WKxKLBz5U0Us042rSNhOO

Malware Config

Extracted

Family

formbook

Campaign

xrob

Decoy

dV8FCtdWdnfMJ9thh8l/

IJG6Bh4iMeHVBHNp2MrpTA==

NhPKKtmQxnHYF/80

f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==

A/689/MibSRBgkPkx07m+H+g

e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==

gLN5bn+Zq1VQXmOOvw==

NFcQGvViY5sxmkty83Fde4GQhg==

XWMfFSM3f7GT9w==

Ih6vvqf9R8gDObM=

FGAlLASHlpLaUUKUJIwm9ABQ2Js=

v8R615LDC8iWchwv

m+u3rLUxScgDObM=

jc3eahERf7GT9w==

TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=

j6NQmhWeOi2B

aqJocUfM3v97ryScY6EiSMbVyBak

V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==

8zPsAt3ejcgDObM=

Rpe+BrGBzpGa9q8FHKpi

Targets

    • Target

      203993093_pdf.js

    • Size

      360KB

    • MD5

      6f2c97bf1745f01cc594012a64900a49

    • SHA1

      d68ccd50762846d471073f102fbd9f99239e524b

    • SHA256

      b01d2309cb59eb34644f2037924b50fc2590c84bec5ce560c58a0c8cd6b93b12

    • SHA512

      8a6defcd4cc89ab9169e573639b323404b8ff5389b5d8cd8954e3bf306136987edb0ba35f1556ebba18bcd67f4477e5f58afec73a7a056ae184e03e3db243416

    • SSDEEP

      6144:gbwPMadFh2RmOGOSEBSH427dTIRTKFFBz5U7A5UW+PU0I/2CMBIhNsSkBI9nfcS:gcX2iOSEB24WKxKLBz5U0Us042rSNhOO

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks